Re: a different, stranger port 137 activity

Mike,

> We've been experiencing a lot of strange port 137
> traffic from one
> of our IP's behind our firewall to somewhere
> offsite.  I've been trying to
> track it down but I have been unsuccessful at it.

It sounds as if you have been successful...you've
determined that it's coming from one of your machines,
and going off-site.
 
> But, when I looked at the
> machine, the machine didn't
> have any of the files associated with that
> virus/trojan. 

Can you be more specific w/ regards to what you're
referring to?  Did you do a search?  Or did you run
A/V software?

> Now all this was happening to a web
> server / real audio server for awhile now. 

When you say "happening to", do you mean that the
traffic is originating from this box, or is this box
receiving the traffic?
 
> Any help would be greatly appreciated!  I just
> don't quite
> understand how this IP is getting through our
> firewall since there are no
> conduits open on port 137.  

Your tcpdump shows that the packets are UDP datagrams,
so the term "conduit" doesn't necessarily apply. 
Looking at the dump you provided, the traffic looks
pretty normal...NetBIOS name requests going from
machine to machine.  One way to test this is to get a
copy of fport.exe from FoundStone's site, and run
that...then see which process is bound to that port.

Again...it looks pretty normal.  You said that this
traffic was associated w/ a web server...IIS attempts
a name lookup for the IPs that make connections to GET
web pages, and one of the ways it does the lookup is a
NetBIOS name request.  

HTH 


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com